what could kill nstic
play

What could kill NSTIC? A Friendly Threat Assessment In Three Parts - PowerPoint PPT Presentation

Jun 29, 2023 •245 likes •1.11k views

What could kill NSTIC? A Friendly Threat Assessment In Three Parts January 2013 Phil Wolff Strategy Director Personal Data Ecosystem Consortium phil@pde.cc. @evanwolf. Linkedin Download the whitepaper: http://pde.cc/nsticrisks High hopes for

  1. What could kill NSTIC? A Friendly Threat Assessment In Three Parts January 2013 Phil Wolff Strategy Director Personal Data Ecosystem Consortium phil@pde.cc. @evanwolf. Linkedin Download the whitepaper: http://pde.cc/nsticrisks

  2. High hopes for an ID ecosystem Can we get to an international digital identity system?

  3. High hopes for an ID ecosystem Can we get to an International, User-Centric digital identity system that works across Industries? Cultures? Technologies? Governments? Regulatory schemes?

  4. High hopes for an ID ecosystem This effort is driven in the United States under a 2004 program initiated by the National Strategy for Trusted Identity in Cyberspace through the National Institute of Standards and Technology (NIST) of the US Department of Commerce.

  5. Our findings, in short: The two most serious threats to NSTIC’s success: a user experience imbalance among that doesn’t work the forces that hold an identity ecosystem together.

  6. A dozen of us met • to list and score threats to the NSTIC Identity Ecosystem vision. • Internet Identity Workshop, Mountain View, California – October 2012 – May 2011.

  7. We asked: If NSTIC fails by 2016, what could have brought it down?

  8. HERE’S OUR HYPOTHETICAL FAILURE SCENARIOS 2016 POST-MORTEM OF NSTIC

  9. We spoke in the past-tense as if the failures had happened.

  11. We didn’t cooperate to build an ID ecosystem. We should have played well with others.

  12. We didn’t cooperate to build an ID ecosystem. We should have played well with others. Took too long. Strung out by process problems. (Alternatives emerged.)

  13. We didn’t cooperate to build an ID ecosystem. We should have played well with others. Industry failed to build it. (Capital and management didn’t prioritize.)

  14. We didn’t cooperate to build an ID ecosystem. We should have played well with others. NSTIC community became balkanized. NSTIC community lost cohesion; didn’t listen to each other. (Little to no interop.)

  15. We didn’t cooperate to build an ID ecosystem. We should have played well with others. The program was co-opted by a Big Brother government. (Not trustworthy internationally and for many purposes.)

  16. Just because it’s built doesn’t mean they’ll use it.

  17. Just because it’s built doesn’t mean they’ll use it. Worked, but was not trusted. (Failed Brand).

  18. Just because it’s built doesn’t mean they’ll use it. Was subverted and insecure. (Legitimately Untrusted).

  19. Just because it’s built doesn’t mean they’ll use it. Enterprise didn’t adopt it. (Business case not well made.)

  20. Just because it’s built doesn’t mean they’ll use it. After one failure, supporters abandoned the project. “Burned once, twice shy.” (Shallow, brittle commitment; low tolerance for failure.)

  21. Just because it’s built doesn’t mean they’ll use it. The IE was an empty room. No critical mass formed. There was an imbalance of supply and demand. (Anchor tenants didn’t sign on. Institutions didn’t enroll millions of users or pull in industry ecosystems.)

  22. Just because it’s built doesn’t mean they’ll use it. Citizens didn’t want trusted identity. (Poor market fit; lack of perceived benefit over alternatives.)

  23. We didn’t build the right things the right way.

  24. We didn’t build the right things the right way. A local failure took down the whole identity ecosystem. (Failures of ecosystem trust, architecture, integration testing, and risk analysis.)

  25. We didn’t build the right things the right way. The IdP/RP/Trust identity model was inferior to newer models. (Technology risk.)

  26. We didn’t build the right things the right way. The IdP/RP/Trust identity model broke at scale or broke in diverse contexts. (Project design risk.)

  27. We didn’t build the right things the right way. Miscommunication within the Identity Ecosystem contributed to its death. (Poor cooperation, weak community, high self-interest, low trust.)

  28. Failed User Experience.

  29. Failed User Experience. UX was too hard.

  30. Failed User Experience. Everything went wrong that could go wrong.

  31. We Built-In Structural Instability.

  32. We Built-In Structural Instability. Along with user experience, structural instability was the big issue, according to the group…

  33. We Built-In Structural Instability. • Four pillars of the ecosystem must be strong • Technology • Economics • Policy • Culture • Each relationship among them was imbalanced.

  34. We Built-In Structural Instability. Each of these pillars were operating on different tempos. • It was fast to iterate improved user experiences but slow to socialize each round among public policy and enterprise lawyers, for example.

  35. We Built-In Structural Instability. Motivations were misaligned. • Some companies, for example, engineered tariffs for data sharing into their terms of service, cutting off public sector and NPOs from their customers.

  36. We Built-In Structural Instability. Core ideas didn’t survive translation. • Several large Internet engineering companies backed out of supporting IE infrastructure because the “Easy ID” brand became a running joke on sitcoms, SNL, and a biting meme on YouTube.

  37. We Built-In Structural Instability. Liability was broken. • Tragic risks were taken with some technologies and contracts by pushing exposure from those who enabled risk to those who didn’t.

  38. This session was in October 2012. • But wait, there’s more…

  39. We did a similar exercise 18 months earlier in May 2011 with a similar group. https://secure.flickr.com/photos/philwolff/5713880402/ cc-by Phil Wolff 2. EIGHTEEN MONTHS E 2. EIGHTEEN MONTHS EARLIER... ARLIER...

  40. Key Risks (via 2011) :

  41. Key Risks (via 2011) : Lack of adoption.

  42. Key Risks (via 2011) : Impatience for long learning curve.

  43. Key Risks (via 2011) : Usability failures. (early concern)

  44. Key Risks (via 2011) : Interop failures.

  45. Key Risks (via 2011) : Overscope.

  46. Key Risks (via 2011) : Security problems like phishing and malware drawn by money.

  47. Key Risks (via 2011) : Perversion of principles.

  48. Key Risks (via 2011) : Chicken vs. Egg problems.

  49. Key Risks (via 2011) : Short Attention Span and the Hype Cycle

  50. Key Risks (via 2011) : Regulatory blocks privacy laws antitrust concerns uncertainty about liability

  51. Key Risks (via 2011) : Waiting for Winners

  52. Key Risks (via 2011) : Dystopian Fear

  53. Key Risks (via 2011) : Over-promising by tech communities to policy communities

  54. Key Risks (via 2011) : • Lack of adoption. • Chicken vs. Egg problems. • Impatience for long • Short Attention Span and learning curve. the Hype Cycle • Usability failures. • Regulatory blocks including privacy laws, • Interop failures. antitrust concerns and • Overscope. uncertainty about liability • Security problems like • Waiting for Winners phishing and malware • Dystopian Fear drawn by money. • Over-promising by tech to • Perversion of principles. policy communities

  55. We had time, in the 2011 session, to brainstorm what might avoid or mitigate these threats.

  56. Action: Small successes Build confidence

  57. Action: Industry marketing, PR, Media/Voice Build public understanding

  58. Action: Community user experience sharing (KM) Accelerate design

  59. Action: Cultivate Engineering Focus Developer relations

  60. Action: Governance driving Interop Testing Interop is a leadership challenge

  61. Action: Clear/Graded Roadmap Short term plans, long term visions

  62. Action: Electronic Authentication Guideline, NIST SP 800-63, and other threat comment Connect to existing NIST processes

  63. Action: Security Council / Antiphishing Working Group Make security an explicit IESG activity

  64. Action: Government Affairs activity Engage US and other governments

  65. Action: OIX Risk Wiki Engage the OIX community

  66. The fear of “failure to deliver” was still there. WHA WHAT CHANGED T CHANGED BETWEEN THE TWO BETWEEN THE TWO SESSIONS? SESSIONS?

  67. What changed between the two sessions? 1. Outside forces like dystopian fear among users, security failures, and regulatory challenges were less prominent or not mentioned. � 2. Drivers of failure expanded almost exclusively to internal ones. �

  68. What changed between the two sessions? The primary concern: leadership Once funding, staffing, and collaboration started: the identity ecosystem did not take charge and master the challenges as they emerged.

  69. 3. Last minute update... Arbroath Cliffs Warning Notice CC-BY-NC Alan Parkinson

  70. Cuts are coming • US federal government is cutting spending in 2013 as we prepare this paper in December 2012. • By cleaver if a “fiscal cliff avoiding” budget is passed • By chainsaw if Congress and the President fall over the “cliff.”

  71. Direct effects. Nobody knows if this will directly affect NIST and the NIST staff managing the NSTIC project.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NSTIC, Privacy and Social Login Presentation at the W3C Workshop on Identity in the Browser

NSTIC, Privacy and Social Login Presentation at the W3C Workshop on Identity in the Browser

NSTIC, Privacy and Social Login Presentation at the W3C Workshop on Identity in the Browser Francisco Corella and Karen P. Lewison Pomcor 1 05/03/2011 Pomcor Getting Rid of Passwords n is one long term goal of NSTIC n But it may

255 views • 7 slides
PD Targets for Various Infection Types: Stasis vs. 1-Log Kill vs. 2 Log Kill G.L. Drusano, M.D.

PD Targets for Various Infection Types: Stasis vs. 1-Log Kill vs. 2 Log Kill G.L. Drusano, M.D.

PD Targets for Various Infection Types: Stasis vs. 1-Log Kill vs. 2 Log Kill G.L. Drusano, M.D. Professor and Director Institute for Therapeutic Innovation University of Florida PD Targets Nosocomial Pneumonia To have insight into

237 views • 22 slides
TSUNAMIS TSUNAMIS WHAT ARE THEY? WHAT ARE THEY? and and WHY DO THEY KILL SO WHY DO

TSUNAMIS TSUNAMIS WHAT ARE THEY? WHAT ARE THEY? and and WHY DO THEY KILL SO WHY DO

TSUNAMIS TSUNAMIS WHAT ARE THEY? WHAT ARE THEY? and and WHY DO THEY KILL SO WHY DO THEY KILL SO MANY PEOPLE? MANY PEOPLE? J. David Rogers J. David Rogers Department of Geological Sciences & Engineering University of

589 views • 39 slides
WHAT DISINFECTANTS MOST EFFECTIVELY KILL BACTERIA? Bio Club 10/21/15 HOW DO DISINFECTANTS/

WHAT DISINFECTANTS MOST EFFECTIVELY KILL BACTERIA? Bio Club 10/21/15 HOW DO DISINFECTANTS/

WHAT DISINFECTANTS MOST EFFECTIVELY KILL BACTERIA? Bio Club 10/21/15 HOW DO DISINFECTANTS/ ANTISEPTICS WORK? Disinfectants are used on surfaces, antiseptics are used on living tissues (humans) Bactericidal: kill bacteria Bacteriostatic: stop

132 views • 12 slides
The great unhinging The erosion of rule of law in the Philippines ANU Philippines Project August

The great unhinging The erosion of rule of law in the Philippines ANU Philippines Project August

The great unhinging The erosion of rule of law in the Philippines ANU Philippines Project August 23, 2018 Three pillars of dutertes strongman rule Rule of law is fast eroding I Kill, kill, kill: War on drugs II No to dissent and use of

456 views • 26 slides
The Plot to Kill Jesus (Wednesday-Thursday) The Plot to Kill Jesus (Wednesday-Thursday) We

The Plot to Kill Jesus (Wednesday-Thursday) The Plot to Kill Jesus (Wednesday-Thursday) We

The Plot to Kill Jesus (Wednesday-Thursday) The Plot to Kill Jesus (Wednesday-Thursday) We are not certain what Jesus did on this day. Maybe He spent the day teaching in the temple? Maybe He spent the day making preparations for the

269 views • 16 slides
Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping

Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping

Wanted Bacteria: Dead or Dead The development of a kill switch that activates upon a cell escaping from the laboratory setting into the surrounding environment The Public Fear of Genetically Modified Organisms Development of a Kill Switch

383 views • 27 slides
kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process

kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process

Process Process A B kill Run default signal handler! Process Process A B kill signal(SIGINT, func) Process Process A B signal(SIGINT, func) Process Process A B kill Run fun signal handler! Terminate process Generate Core

506 views • 23 slides
Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by:

Become a Progressive No Kill Community without Breaking the Bank Presented by: Hillsborough County Pet Resources & The Humane Society of Tampa Bay Sponsored by: Best Friends Animal Society, Inc. Paradigm Shift in Public Sheltering

454 views • 16 slides
The Cyber Kill Chain The Students of Network Security Why Do We Need It? Since the start of

The Cyber Kill Chain The Students of Network Security Why Do We Need It? Since the start of

The Cyber Kill Chain The Students of Network Security Why Do We Need It? Since the start of the internet age, vulnerabilities have been exploited by ill-meaning users. Important data in military and commercial applications were commonly

1.14k views • 34 slides
COMMUNICATION OR THE KILL SWITCH PROBLEM Deb Housen-Couriel, Adv. The government of

COMMUNICATION OR THE KILL SWITCH PROBLEM Deb Housen-Couriel, Adv. The government of

BLOCKING OF CYBER-ENABLED COMMUNICATIONS BY STATES: RAMIFICATIONS FOR THE FREEDOM OF COMMUNICATION OR THE KILL SWITCH PROBLEM Deb Housen-Couriel, Adv. The government of Ethiopia has demonstrated its ability and willingness to

569 views • 27 slides
Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers

Cybercrime Kill Chain vs. Effec4veness of Defense Layers Dr. Stefan Frei & Francisco Arts @stefan_frei @franklyfranc

787 views • 60 slides
Aspect Ratio Test Slide A 2.0 IS NOT GOING TO KILL YOU BUT IT WILL TRY by Jan Lehnardt at

Aspect Ratio Test Slide A 2.0 IS NOT GOING TO KILL YOU BUT IT WILL TRY by Jan Lehnardt at

Aspect Ratio Test Slide A 2.0 IS NOT GOING TO KILL YOU BUT IT WILL TRY by Jan Lehnardt at ApacheCon EU 2016 in Sevilla Hi, my name is Jan Lehnardt, Im a developer and business person from Berlin, Germany JAN LEHNARDT CouchDB since 2006

1.32k views • 119 slides
1 A SMALL STILL VOICE 2 James 4:2-3 Ye lust, and have not: ye kill, and desire to have, and

1 A SMALL STILL VOICE 2 James 4:2-3 Ye lust, and have not: ye kill, and desire to have, and

1 A SMALL STILL VOICE 2 James 4:2-3 Ye lust, and have not: ye kill, and desire to have, and cannot obtain: ye fight and war, yet ye have not, because ye ask not. Ye ask, and receive not, because ye ask amiss, that ye may consume it upon your

675 views • 28 slides
A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' Mar2na'Lindorfer'

A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' Mar2na'Lindorfer'

A View To A Kill ! WebView Exploitation ! Ma#hias'Neugschwandtner' Mar2na'Lindorfer' Chris2an'Platzer' ' Interna2onal'Secure'Systems'Lab' Vienna'University'of'Technology' Web - Views ! Consumption of web content shifts to mobile devices

257 views • 13 slides
He says hell kill the dog if I leave Family violence, pets and vets : An Australian

He says hell kill the dog if I leave Family violence, pets and vets : An Australian

He says hell kill the dog if I leave Family violence, pets and vets : An Australian study Dr Lydia Tong Taronga Conservation Society Australia University of Sydney An introduction Commenwealth Mongrel Vet by training worked in

491 views • 14 slides
Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE,

Transporting Voice by Using IP NTP VoIP Testbed: A SIP-based VoIP Platform Department of CSIE, NCTU Quincy Wu Email: solomon@ipv6.club.tw 1 Outline Introduction Voice over IP RTP & SIP NTP VoIP Platform Conclusion

1.02k views • 64 slides
Streaming XML With Jabber/XMPP Ralph Meijer and Peter Saint-Andre Streaming XML With Jabber/XMPP

Streaming XML With Jabber/XMPP Ralph Meijer and Peter Saint-Andre Streaming XML With Jabber/XMPP

Streaming XML With Jabber/XMPP Ralph Meijer and Peter Saint-Andre Streaming XML With Jabber/XMPP p.1/25 Introduction This presentation gives an overview of Jabber/XMPP technologies. The following topics will be discussed: What is

263 views • 25 slides
IETF Standardization Process and German Activities: a Brief Overview Prof. Dr. Xiaoming Fu

IETF Standardization Process and German Activities: a Brief Overview Prof. Dr. Xiaoming Fu

IETF Standardization Process and German Activities: a Brief Overview Prof. Dr. Xiaoming Fu Computer Networks Group Institute of Computer Science Georg-August-Universitt Gttingen http:/ / www.net.informatik.uni-goettingen.de/ IETF Overview

317 views • 4 slides
Extended INCident Handling Working Group (INCH)

Extended INCident Handling Working Group (INCH)

Internet Engineering Task Force Extended INCident Handling Working Group (INCH) http://www.cert.org/ietf/inch/inch_interim_2004.html 12:00 16:00 Sunday, June 13 2004 Interim Meeting Budapest, Hungary Roman Danyliw, <rdd@cert.org>

396 views • 16 slides
Long-Term IETF Support May 2016 How Is the IETF Currently Funded? IE IETF Funding Sources

Long-Term IETF Support May 2016 How Is the IETF Currently Funded? IE IETF Funding Sources

Jari Arkko Sean Turner Greg Kapfer ISOC Board Chair, IETF ISOC CFO Treasurer Expert, Ericsson Long-Term IETF Support May 2016 How Is the IETF Currently Funded? IE IETF Funding Sources 2008-2016 ( 2016 (US$ 000s S$ 000s) $7, $7,000 000

135 views • 11 slides
Internet Engineering Task Force 2019 Review Alissa Cooper IETF Chair Making the Internet work

Internet Engineering Task Force 2019 Review Alissa Cooper IETF Chair Making the Internet work

Internet Engineering Task Force 2019 Review Alissa Cooper IETF Chair Making the Internet work better Technical highlights 2 Applications -- Highlights DNS over HTTPS Web Real-Time Communication (WebRTC) RFC 8484 Overview Applications

474 views • 12 slides
Moving from Innovation to Mainstream Part 1 Eric Siow Crossing the Chasm Part 2

Moving from Innovation to Mainstream Part 1 Eric Siow Crossing the Chasm Part 2

Next Steps for The Web of Things: Moving from Innovation to Mainstream Part 1 Eric Siow Crossing the Chasm Part 2 Michael McCool Standards Development Prioritization PART 1 Crossing the Chasm 2 Outline Part 1 State of the

473 views • 19 slides
SCTP User Message Interleaving Integration and Validation Felix Weinrank Michael Txen Irene

SCTP User Message Interleaving Integration and Validation Felix Weinrank Michael Txen Irene

SCTP User Message Interleaving Integration and Validation Felix Weinrank Michael Txen Irene Rngeler Erwin P. Rathgeb 1 Outline Brief introduction to SCTP Message interleaving and stream scheduler Integration and validation

427 views • 17 slides

More recommend